I discussed paperwork and protecting paperwork yesterday in my post about finding spaces for things, but how and why to protect your correspondence is a larger topic, and an important one.
What Is Identity Theft/Identity Fraud?
Identity theft/fraud is where someone else pretends to be you in order to steal your money, get a job, credit card, or loan in your name, or steal your government benefits and tax refunds. It can be used to frame you for crimes you did not commit or leave you responsible for purchases you didn’t make.
According to the Federal Trade Commission’s Consumer Sentinel Network Report, consumers reported $905M in total fraud losses in 2017, a 21.6% increase over 2016.The average fraud loss was $429. (Thanks to Experian for compiling this data.)
Your financial identity and life is valuable property that belongs to you and you alone. People who want to steal your money want it very badly.
Let me say that again, to be very clear.
Your financial identity and life are valuable property, and they belong to you and you alone.
Your identity is as valuable and as vulnerable as your grandmother’s diamond ring or your 60″ 4K UHD television. More so, because in this day and age of the Internet, there are a lot more people who have access to sensitive information, including yours, than ever before.
How Do I Stop This From Happening?
It’s impossible to 100% guarantee it’ll never happen. In order to do business, you have to give sensitive information that positively identifies you to everyone with whom you do business. They need it, and they have a legitimate right to know it. As part of their business, they keep databases with everyone’s information in it — and this makes all such entities targets for hacking and theft of personal information.
When you give a business your personal information, you’re trusting them to protect it, and you kind of have to. When that trust is breached, you have a problem. There isn’t too much you personally can do to prevent someone else from being hacked.
The good news is, there are things that you can do to prevent people from targeting YOU for your personal information.
Lock Up Your Paperwork
Your personal paperwork, whether it’s in paper or digital form, should be locked up with strong keys. Your filing cabinet, including your credit cards, identification documents, and checkbook if you have one, should have a combination or key lock on it, and should be located in a place in your home that is not open to visitors and is not readily identifiable from a window.
If you work paperless as more and more people are doing these days, all of your digital records should be on a hard drive that has Encryption at Rest (EAR) enabled. For example, if you have an Apple computer, you should turn FileVault on. For Windows machines, Symantec, MacAfee, and several other companies include EAR as part of their security suite.
If you keep your stuff on the cloud, don’t rely on the provider’s encryption, because if your provider is hacked, that exposes you as well. I’m personally a huge fan of the product BoxCryptor for protecting cloud storage. It encrypts all files and their names on the fly with a strong encryption key that they do not retain — if you ever lose your password, you’ll lose the files forever. This is actually a good thing, because it means that no hacker can get what the company does not have.
Be Awesome With Passwords
Security mavens tell you to use a different, strong, random password for everything you access. Yeah, okay, if you’re eidetic, that might work for you. No normal human can remember that many passwords, and any security expert who is reading this and thinks that’s a reasonable ask needs to be beaten soundly with a reality check.
There are solutions, though.
Generating Awesome Passwords
Take a phrase or a saying or a lyrical line and concatenate it. For example, “This network is too damn secure” might become: tni2ds
However, that still isn’t all that great. You want your passwords to be at least 8 characters long, and a good password will have upper and lower case letters, numbers, and special characters in it. What’s more, every system will have its own requirements for what it will and will not allow. Some will want them longer than that, some might not allow certain characters. So let’s try that again, making the above eight characters and incorporating all character types.
Note that the use of emoticons is a fun way to incorporate special characters into your password!
Don’t ever use your name, your username, a dictionary word, or your birthday as the basis for your password. This subjects you to something called a dictionary attack. Using the concatenation method described above avoids the dictionary attack.
💡You can generate a few passwords and then modify/tailor it for each system. For example, you can generate a password base and then add on a character or word that represents that system. Add some at the beginning, some at the end, some in the middle, vary the character — the passwords are related but different and still possible to track.
Change Them Periodically
How often you change your password is up to you and your life, but you should change your passwords every time a breach on a system you use is reported. This is the value of different passwords for every system — breach of one system gives a hacker no information about any other you might use.
It’s a balancing game – being able to remember all that versus your security level.
Enter my third tip.
Use A Password Locker
A password locker is a program on your computer that is like a database for your passwords. The program itself should use strong encryption such as AES-256 to encrypt the database and should have a browser extension that will auto-fill your password for you. This method allows you to remember one password, have a completely unique password for every system, AND foil a malware program called a keylogger – after all, how can a keylogger record your keystrokes when you’re either cutting and pasting or using auto-fill?
The main danger is that your password locker can become a target, so choose one with strong encryption. Note that some people consider auto-fill a risk as well — it’s up to you. Some of the common ones include LastPass, 1Password, Abine Blur, and Dashlane.
Shred It, Don’t Trash It
Get a good cross-cut shredder and shred any old mail, bank statements, bills, or paperwork that you no longer need. If it contains any of the following, it should be shredded:
- Your full legal name
- Your name and address together
- Your social security number
- Your driver’s license number
- Account numbers of any kind
- Any correspondence from your bank or credit card provider
- Any correspondence from a government entity
- Any monetary balances for any account
If you have a fireplace, shredded documents make good firestarters.
Don’t Fall For Phishing
Social engineering – the use of natural human tendencies to maneuver people into helping you achieve a goal – is a pervasive hacker tool to gather information or trick people into installing malware on their machines that allows the hacker to control their computer – a practice known as pharming.
There are tons of resources on the Internet for how to spot phishing and pharming scams. FDIC has a good start, but a few basic rules to keep in mind:
- A legitimate outfit will never ask you for personal information by email. They don’t need to — if someone with a legitimate need to know needs access to your account, they can get it without asking you.
- A lot of phishers will make threats, try to scare you, or set a deadline for you to act. If you see any of these items, think, because that’s exactly what they’re trying to get you not to do. It’s probably a scam.
- Who are you again? If it’s something you’re not expecting or from someone you don’t know, check the headers. If it appears to be from you, is from another country, or otherwise looks funny, it’s a scam. If the headers are missing or incomplete, it’s definitely a scam.
- Is the promise too good to be true? Remember: if it seems too good to be true, it probably is.
- Do they want something (usually money) up front? If so, chances are it’s a scam.
- Never click on a link in an email that you aren’t expecting. Right click or hover over the link to see where it really goes — if it doesn’t match, it’s a scam. Look for misspellings and transposed letters.
- Be cautious of attachments. Scan everything before you open it, and if you didn’t expect it, don’t open it at all.
Keep Your Anti-Virus Up To Date
If you don’t have an anti-virus program, get one. If it’s expired, renew it. Update it weekly on a schedule.
WARNING: Think about who makes your anti-virus program. Should you trust an anti-virus made in Russia? Probably not.